Anonymous communication over virtual, modular and distributed satellite communications network

ABSTRACT

The present disclosure relates to a system for providing an anonymous and obfuscated communication over a virtual, modular and distributed satellite communication network.

CROSS-REFERENCE TO RELATED APPLICATIONS

This patent application is a continuation application of U.S. patentapplication Ser. No. 16/600,258, filed 11 Oct. 2019, which claims thebenefit of U.S. Provisional Patent Application No. 62/907,320, filed on27 Sep. 2019. Each of these applications is incorporated by reference inits entirety.

BACKGROUND

The objective of this method is to provide anonymous and obfuscatedcommunication over a virtual, modular and distributed satellite-basedcommunications network. A modular and distributed satellitecommunications network is one where the Users, the Digital Modem (DM),the Wideband Signal Channelizer (WSC), and the Radio Frequency DigitalConverter (RFDC) are not collocated and interconnected over a network.The User transmits and receives user data over the network. The DM,which performs the base-band signal processing to modulate anddemodulate the satellite waveforms, is a virtualized softwareapplication running on a High Performance Computing (HPC) PC or server,which consists of one or more Central Processing Unit (CPU) cores andminimally a hardware acceleration component that may be aField-Programmable Gate Array (FPGA), a Graphic Processing Unit (GPU),or a Digital Signal Processor (DSP). From here on, the HPC PC or serverwill simply be referred to as HPC. The WSC functions as a channelizerand converts the signal to base band for one or more DMs. The WSC isalso a virtualized application targeting a HPC. The RFDC convertsbetween Radio Frequency (RF) signal and digitized samples for transportto and from a WSC. The RFDC implements the high-speed Digital to AnalogConverter (DAC) and Analog to Digital Converter (ADC) for thisconversion. The RFDC is waveform agnostic and may support multiplefrequency bands. Quite often the WSC and the RFDC may be combined into asingle device, called an Edge Device. The RFDC is also a virtualizedapplication targeting an HPC. However, the RFDC must also have the ADCand DAC components integrated within the HPC as for example a PCIeplug-in card.

The User would send user data over the network as ethernet packets to aDM. The DM would be configured to utilize a specific waveform tomodulate the user data into a modulated signal, and to encapsulate andtransport the digital I/Q samples of this modulated signal over thenetwork as ethernet packets to a WSC. The WSC would group one or morecarriers into sub-channels and transports the digitized samples asencapsulated data over the network as ethernet packets to a RFDC. Inturn, the RFDC converts the digitized I/Q sub-channels from one or moreWSC into RF signal for transmission over a satellite. There are variousencapsulation methods of transport of data between these sub componentsin a distributed and modular satellite communications network, which isoutside of the scope here. In some cases, proprietary encapsulation maybe used. And in some cases, it may be based on standard, such as ANSITIA 5041, which is based on VITA-49 protocol.

For reception of a satellite signal, the same path is traversed inreverse order and the inverse functionality is applied to recover theuser data that is then received by another user.

The virtualized, modular, and distributed communications networktopology serves many advantages, use cases, and benefits over a fullyintegrated and co-located communication systems. Some benefits includescalability, flexibility, and resiliency of the network. It is scalablebecause the communication network can be appropriately sized by simplyinstantiating more DMs and WSCs as instances of virtualized applicationsexecuted on HPCs in private data centers or in public data centers ascloud-based applications. It is flexible because the virtualizedfunctionalities can easily be updated as software applications withoutthe need to modify and change hardware components. It is resilientbecause various waveforms and communication paths can be selected inreal-time to circumvent network congestion or communication pathinterruption. And, in some use cases, the communication terminals andthe hub may simply be too far apart from each other. On the other hand,the modular and distributed communications network also creates achallenge where there is more opportunity for eavesdropping as user dataand digitized modulated signals are now routed across a network. If anynode in the network has been compromised, information pertaining to thesender and receiver, such as the source and destination IP addresses,location, amount and time of traffic, and the traffic content itself,can all be accessed by a network intruder.

SUMMARY

The novelty describes a method and system to obfuscate communicationsbetween sub-components in the virtual, modular and distributed satellitecommunications network and provides anonymous end-to-end communicationbetween users. The method is based on multi-layer encryption routing toobfuscate user identity, source/destination IP addresses, location andto provide multi-layer encryption to provide anonymity and protect thenetwork from traffic analysis and eavesdropping.

The method, from here on referred to as Obfuscated Virtual Communication(OVC) protocol, allows for the secure and anonymous routes to be createdbetween the user and the DM, as well as, between the DM and the WSC, andbetween the WSC and the RFDC. Each secure and anonymous route betweenany two subcomponents in the communications path is called a chain. TheOVC protocol also implements the cryptographic functionality for thechain. OVC protocol in combination with a satellite waveform thatimplements Transmission Security (TRANSEC) to obfuscate thecommunication path over the satellite between two users is also fullyprotected for a complete anonymous and end-to-end communicationsolution.

A user that needs to communicate can utilize the OVC protocol to definethe chain of nodes to close a circuit with another user, where thecircuit includes a satellite or wireless connection. The first node inevery chain is called the source node, and is the user's HPC. The lastnode in a chain is called the destination node. Nodes that are capableto host and execute virtualized waveforms and have the required trustlevel are designated as DM nodes. Nodes that are capable of hosting andexecuting WSC and have the required trust level as a virtualizedfunction are designated as WSC nodes. Nodes with capability to functionas a RFDC and have the required trust level are designated as RFDCnodes. There are nodes that may have the resource capacity and trustlevel to function as more than one single device and may have multiplefunctional roles designated. The resource capacity of each node isdetermined based on the compute power of the node. The trust level ofnode depends on various factors, including where it is located. Forexample, a node that resides in a private data center and in acontrolled environment would be much more trusted than a node that ispart of a public data center in a cloud.

The connection between the User node and the DM node, between the DMnode and the WSC node, and between the WSC node and the RFDC node areeach referred to as a chain. Each chain may consist of multipleintermediary nodes. And, each chain is a separate multi-layer encryptedroute, where the source node encrypts the traffic multiple times withthe encryption key for every node in the chain. This creates amulti-layer encryption of both user data and the digitized modulated I/Qthat is highly secure. As the data traverses the nodes along the chain,each intermediary node in a chain decrypts one of the layers to exposethe next hop. Thus, each node in the link can only determine that thedata is being sent from the prior node, and only knows the next node tosend the data to. Thereby, the communication chain is held anonymousbetween the source node all the way through the destination node, andthe traffic remains obfuscated and protected from any intermediary nodein a network that may have been compromised.

The OVC protocol relies on the Node Directory Server (NDS) to obtain thelist of nodes, their availability, and designated functionality orfunctionalities based on compute capacity and trust level. The NDScollects information from every node in the network to maintain andupdate the directory list. When a user requires communication circuit,the OVC protocol uses the directory list provided by the NDS to selectthe best path to close the circuit. The OVC designates which node in thepath will function as the DM, WSC, and RFDC to convert between themodulated I/Q data and RF signal. It also determines the intermediarynodes along each chain.

The described method is supported by an HPC as the source node for everychain. Source nodes consist of the Users, the DM nodes, WSC nodes, andRFDC nodes. These nodes have specialized functionality, as well as, theburden of generating the multi-layer encrypted traffic at line rate. Theintermediary nodes in every chain are simply performing a singledecryption to remove one of the multi-layer encryption layers until thetraffic is received by the destination node where the final layer ofencryption is removed. Furthermore, the intermediary nodes are notperforming specialized functions either. The intermediary nodes aresimply forwarding the traffic from a prior node to the next. Utilizingthe HPC server, which consists of one or more CPUs and consists of oneor more integrated hardware acceleration device based on GraphicProcessing Unit (GPU) or Field Programmable Gate Array (FPGA) provides anovel approach to performing the multi-layer encryption at extremelyhigh-data rate resulting in nearly “line rate” operation required forthe virtual, modular and distributed satellite communicationinfrastructure. The HPC heterogenous architecture provides the hardwarecapabilities needed for both hosting virtualized applications for theDM, the WSC, the RFDC, as well as, the OVC protocol. The OVC protocol,which includes the multi-layer encryption, will be implemented in ahigh-level programming language that supports heterogenous computeenvironments and parallel processing, such as the Open ComputingLanguage (OpenCL) to generate, for example, a x86 compliant executablecode. When a source node performs the multi-layer encryption aspects ofthe algorithm that are CPU intensive the algorithm (or method) can beimplemented as optimized kernel code targeting the hardware accelerationdevice, such as the FPGA on an OpenCL compliant PCIe card. This methodof implementation allows for much higher performance for the multilayerencryption functionality. The higher performance provided by the HPCsupports the high throughput required to support a virtualized, modular,communications infrastructure. This is because after user data has beenmodulated, the throughput needed to transport the digitized I/Q signalscan be significantly more than the actual user data. The throughputbetween the DM and the WSC, and the WSC and RFDC is all a function ofthe digitized bandwidth being transported, and this can be hundreds ofGiga-bits-per-second (Gbps) of traffic. By implementing the OVC protocoland its multi-layer encryption scheme in the HPC architecture, such highthroughputs can be supported. Furthermore, the high throughput alsoavoids constraining the number of intermediary nodes per chain based onthe limits of the multi-layer encryption functionality. The layers ofencryption that needs be performed by the source node HPC is directlydependent on the number of intermediary nodes in the chain. Without thisconstraint, the OVC protocol can more effectively determine bestcommunication path for a chain without being limited.

The OVC protocol and its multi-layer encryption routing can beimplemented as another virtualized functionality targeting the HPC thatcan be integrated with the virtualized functionality of the particularnode, whether it is a DM, WSC, or RFDC.

It is the objective of this invention to define a system and a method ofproviding obfuscated and anonymous communication for a virtualized,modular, and distributed satellite communication infrastructure. Themethod and system described here is based on a protocol referred to inthis invention as OVC protocol, which provides the messaging and handshake between different node types to establish the chain between eachsub-system, as well as, implements the multi-layer encryption. Once thecircuit has been established, the OVC implemented as a virtualizedapplication targeting the HPC at every Source Node perform the actualencryption at line rate or the maximum rate of a given communicationpath. The source nodes are HPC servers that can host and execute thedesignated functionality, based on whether the node is a User Node, DMNode, WSC Node, or RFDC node, while also integrating the OVC protocol asmethod for obfuscation of communication traffic.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates the prior art of a particular implementation of amodular communication infrastructure;

FIG. 2 illustrates eavesdropping by network intruders in the prior artof a particular implementation of a modular communicationinfrastructure;

FIG. 3 illustrates traffic analysis by network intruders in the priorart of a particular implementation of a modular communicationinfrastructure;

FIG. 4 illustrates a particular implementation of an obfuscated andvirtualized communication infrastructure in accordance with animplementation of the disclosure;

FIG. 5 illustrates an alternative embodiment of an obfuscated andvirtualized communication infrastructure with a bidirectionalcommunication in accordance with an implementation of the disclosure;

FIG. 6 illustrates an alternative embodiment of an obfuscated andvirtualized communication infrastructure with a bidirectionalcommunication using two independent circuits in accordance with animplementation of the disclosure;

FIG. 7 illustrates an alternative embodiment of an obfuscated andvirtualized communication infrastructure with combined specialized nodesin accordance with an implementation of the disclosure;

FIG. 8 illustrates an alternative embodiment of an obfuscated andvirtualized communication infrastructure with a multi-layer encryptionproviding network security and obfuscation in accordance with animplementation of the disclosure;

FIG. 9 illustrates a particular implementation of a high performancecomputer architecture for hosting virtualized application in accordancewith an implementation of the disclosure;

FIG. 10 illustrates multi-layer encryption and routing in accordancewith an implementation of the disclosure.

At the outset, it should be appreciated that like drawing numbers ondifferent drawing views identify identical structural elements of theinvention. It also should be appreciated that figure proportions andangles are not always to scale in order to clearly portray theattributes of the present invention.

DETAILED DESCRIPTION

While the present invention is described with respect to what ispresently considered to be the preferred embodiments, it is understoodthat the invention is not limited to the disclosed embodiments. Thepresent invention is intended to cover various modifications andequivalent arrangements included within the spirit and scope of theappended claims.

Furthermore, it is understood that this invention is not limited to theparticular methodology, materials and modifications described and assuch may, of course, vary. It is also understood that the terminologyused herein is for the purpose of describing particular aspects only andis not intended to limit the scope of the present invention, which islimited only by the appended claims.

Unless defined otherwise, all technical and scientific terms used hereinhave the same meaning as commonly understood to one of ordinary skill inthe art to which this invention belongs. It should be appreciated thatthe term “substantially” is synonymous with terms such as “nearly”,“very nearly”, “about”, “approximately”, “around”, “bordering on”,“close to”, “essentially”, “in the neighborhood of”, “in the vicinityof”, etc., and such terms may be used interchangeably as appearing inthe specification and claims. It should be appreciated that the term“proximate” is synonymous with terms such as “nearby”, “close”,“adjacent”, “neighboring”, “immediate”, “adjoining”, etc., and suchterms may be used interchangeably as appearing in the specification andclaims. Although any methods, devices or materials similar or equivalentto those described herein can be used in the practice or testing of theinvention, the preferred methods, devices, and materials are nowdescribed.

This disclosure, its aspects and implementations, are not limited to thespecific processing techniques, components, word/bit widths, or methodsdisclosed herein. Many additional components and processes known in theart consistent with the modification, manipulation and encryption anddecryption of a file or files by a computer program are in use withparticular implementations from this disclosure. Accordingly, forexample, although particular implementations are disclosed, suchimplementations and implementing components may comprise any components,models, versions, quantities, and/or the like as is known in the art forsuch systems and implementing components, consistent with the intendedoperation.

Particular implementations of a method and approach within an HPCarchitecture of how to provide obfuscated and high-performance trafficflow in a virtualized and modular communications infrastructure isdescribed. However, as will be clear to those of ordinary skill in theart from this disclosure, the principles and aspects disclosed hereinmay readily be applied to a multitude of modular and distributedcommunications infrastructure without undue experimentation.

FIG. 1 illustrates the prior art of a particular implementation of amodular communication infrastructure that is based on purpose-builtsub-components with traffic sent as plaintext. In this communicationinfrastructure, the location of the User, the DM, the WSC, and the RFDCare fixed and the traffic sent over the network is exposed.

FIG. 2 illustrates the prior art of a particular implementation of amodular communication infrastructure where a network intruder caneavesdrop by compromising any one of the nodes to collect criticalinformation, such as the source and destination IP addresses, thelocation of the sender and recipient, and the content of the payloadbeing transmitted. In this figure, two intruders are both monitoring theuser data being sent to a purpose-built DM, as well as, the digitizedsamples of the modulated carrier from receive RFDC to the receive WSC.The prior art, as shown continues to perform despite having one or moreof the network nodes being compromised.

FIG. 3 illustrates the prior art of a particular implementation of amodular communication infrastructure where a network intruder candetermine the beginning and end of a communication traffic by simplyperforming traffic analysis on the traffic through the network. Theprior art, as shown, performs in an acceptable manner when any of thenetwork nodes has been compromised

FIG. 4 illustrates the novelty of the invention where the modularcommunication infrastructure is virtualized and obfuscated with the OVCprotocol as applications on HPCs to implement the multi-layer routedencryption scheme. The network shown is a unidirectional communicationcircuit, where one sender is sending data to a recipient. The trafficsent over this network is fully encrypted using multi-layer encryptionfor highest level of security. In the figure, encrypted circuit isdisplayed in blue. The source node obtains the directory list from theNDS to determine the best path and the location of the specializednodes, which includes the DM, WSC, and RFDC. The Public KeyInfrastructure (PKI) server provides authentication and public key foreach of the nodes in the network.

FIG. 5 illustrates the novelty of the invention where the modularcommunication infrastructure is supports bidirectional communicationalong the same circuit.

FIG. 6 illustrates the novelty of the invention where the modularcommunication infrastructure supports bidirectional communication alongtwo independent circuits.

FIG. 7 illustrates the novelty of the invention where the modularcommunication infrastructure provides the flexibility of designating anode with more than one specialized function. The figure shows how onedesignated node has been assigned to function as the DM, WSC, and RFDCsimultaneously, while supporting the OVC protocol. Such flexibility ispossible because all functionalities are virtualized applicationtargeting the HPC.

FIG. 8 illustrates the novelty of the invention where the OVC protocoland its multi-layer encryption functionality is protecting the trafficand obfuscating the sender and recipient from network intruders. In theFIG. 8, it shows a network intruder that has compromised one of theintermediary nodes between the Sender and the DM Node. Since this chainconsists of four nodes, the source node had encrypted this traffic fourtimes. By the time the traffic is decrypted by the second node, there isstill two more layers of encryption left to unwrap. In addition, theintruder can only determine that the traffic originated from theprevious node and destined for the next node. The figure also shows anintruder that has compromised an intermediary node after the receiveRFDC Node. This time the traffic has five additional encryption layersto be unwrapped before the content of the traffic can be exposed. Also,the Sender and the Recipient are kept anonymous.

FIG. 9 illustrates the novelty of the invention where the OVC protocoland its multi-layer encryption functionality is implemented as avirtualized application targeting a heterogenous and parallel processingHPC architecture. This approach to a virtualized application can providethe high-throughput needs of the modular communication infrastructure.

FIG. 10 illustrates the novelty of the invention where the OVC protocoland its multi-layer encryption functionality is providing multi-layerencryption protection on traffic sent from the User Node to the DM Node.In this figure there are four nodes in this chain. Thus, the source HPCperforms four layers of encryption with the specific key for every node.For every layer of encryption, the information for the next node to sendthe traffic to is appended. Each intermediary node uses its own key tounwrap one of the layers of encryption and exposing the destination forthe next node, until the traffic arrives at the DM Node and is fullyunwrapped.

In the preferred embodiment, the described invention utilizes ahigh-performance computing HPC PC or server with at least one CPU and ahardware acceleration device and utilizing a high-level coding languageplatform to perform the method as an application. The HPC PC or theserver includes a non-transitory computer-readable storage medium thatstores executable instructions embodying the method. The instructionsmay also reside, completely or at least partially, within a main memoryof the HPC PC or the server as instructions and/or within the CPU or thehardware acceleration device as instructions during execution thereof bythe HPC PC or the server; the main memory, the CPU, and the hardwareacceleration device also constituting machine-accessible storage media.

The term “non-transitory computer-readable storage medium” should betaken to include a single medium or multiple media (e.g., a centralizedor distributed database, and/or associated caches and servers) thatstore the one or more sets of instructions. The term “non-transitorycomputer-readable storage medium” shall also be taken to include anymedium that is capable of storing, encoding or carrying a set ofinstruction for execution by the machine and that cause the machine toperform any one or more of the methodologies of the disclosure. The term“non-transitory computer-readable storage medium” shall accordingly betaken to include, but not be limited to, solid-state memories, andoptical and magnetic media.

The high-level coding language supports heterogenous and parallelcomputing to help accelerate particular algorithms of the OVC protocolfor maximum throughput. An example of such coding language is the OpenCLlanguage, which allows partitioning of the application between host coderunning on the CPU and the optimized kernel code running on the hardwareacceleration device, such as an FPGA. The OVC protocol may be integratedwith the DM, the WSC, and the RFDC virtualized applications. On theother hand, it may also be a separately running application. Themulti-layer encryption is one such functionality that will beimplemented as optimized kernel code to meet the required throughput fortraffic over such network.

The OVC protocol performs the following functionalities:

(a) Messaging between network nodes and the NDS to announce a node'spresence, status and capabilities in terms of available compute resourcefor maintaining the node directory list,(b) Source Node establishing a multi-layer obfuscated communicationchain through intermediary nodes to the Destination Node(c) Source Node performing the multi-layer encryption using a unique keyestablished with each node in the chain(d) Intermediary nodes decrypting a layer of encryption to expose thenext hop and forwarding traffic to the final Destination Node

The User needs to setup a communication path with another user over asatellite link. The User Node HPC communicates with the NDS server toobtain the most current node directory list. The node directory listprovides information about all nodes in the network that is critical tothe OVC application. Such information includes but is not limited to theavailability of the node, the compute power of the node (e.g. HPC orregular server/PC) for hosting virtualized applications, and the trustlevel for the node. Based on this information, the User Node HPCinitiates establishing the chain to include the DM Node, WSC Node, andthe RFDC Node. In this chain, none of the intermediary nodes can tellwhich node is the originator and which one is final recipient of thetraffic. Each Intermediary Node will simply forward the traffic to thenext node.

The chain establishment is initiated when the User Node HPC obtains thepublic key of the first intermediary node using a Public KeyInfrastructure (PKI). It uses the asymmetric public key to establish asecure connection to the first node. Subsequently, shared secret iscreated between the User Node and the first node, which is the symmetrickey for high-throughput encryption of traffic. Using the secureconnection established with the first node, the User Node thencommunicates securely with the second node to establish a connectionbetween the 2^(nd) and 3^(rd) nodes. This process continues until thenode identified to be the DM Node is reached. The DM Node then initiatesthe establishment of the next chain in the same exact manner to get tothe WSC. Subsequently, the WSC Node initiates the establishment of thenext chain to the RFDC Node. Secure OVC signaling over-the-air betweenthe RFDC on the local network with the RFDC on the remote networkpropagates the chain establishment on the remote network. The samemechanism is used on the remote network to propagate a connection fromthe remote RFDC Node to a remote WSC node to a remote DM Node to get tothe remote User Node.

Once the circuit has been established using the OVC protocol, the UserNode HPC performs a multi-layer encryption using the symmetric keys forall the intermediary nodes in the chain to the DM Node. Thus, the userdata is encrypted multiple times, where each time a different keyassociated with each subsequent node in the chain is utilized. Theencryption includes the source and destination IP addresses to obfuscatethe sender and the recipient. Furthermore, the next node address isprepended to the traffic being encrypted for every layer in thismulti-layered encryption process. The multi-layered encrypted traffic issent to the first node, where the first layer of encryption is unwrappedand information about the next destination node is uncovered. The firstnode forwards the encrypted traffic onto the second node, where anotherlayer of encryption is removed and the next destination node address isuncovered. This process continues through all intermediary nodes untilthe traffic arrives at the Destination Node, which is the DM Node. TheDM Node removes the final layer of encryption to extract the user data.As a DM Node, it executes the DM functionality to apply the waveformfunction to the user data to generate a modulated signal. The actualwaveform type is user application dependent. The modulated I/Q samplesthat may be encapsulated in a proprietary or standard framing structure,such as ANSI TIA 5041, are then encrypted multiple times with thetraffic encryption keys of the next set of nodes to get to the WSC Node.Once the data has arrived at the WSC Node, the appropriate WSC transferfunction is applied to the decrypted output from the DM. The WSC Nodethen constitutes the next Source Node for the chain to the RFDC node.The WSC Node encrypts the WSC output multiple times with the symmetrickeys for the corresponding nodes in this chain. When the sampled I/Qarrive at the RFDC, the decrypted samples are converted to RF signal fortransmission over the satellite link to the remote side of the network.If the RFDC Node utilizes Transmission Security (TRANSEC), then thetransmitted RF signal can also be maintained obfuscated. On the remoteside of the network, the same multi-layer encryption across each chainis performed until the user data is received by the recipient and finaldecryption is performed to uncover the plaintext information that wassent by the sender. In this end-to-end circuit, none of the intermediarynodes can determine the source of the data or the final recipient. Thus,any intermediary node that has been compromised cannot reveal anycritical information about the data. Furthermore, the data itself isencrypted multiple times for added security.

In the preferred embodiment, all Source Nodes functionality in everychain performing the multi-layer encryption operation are softwareapplications implemented for an HPC architecture to deliver line rateperformance. This means the User Node, DM Node, WSC Node, and the RFDCNode are all HPCs with the OVC protocol implemented as a softwareapplication.

In an alternate embodiment, encrypted traffic is sent continuouslyacross every chain to prevent traffic analysis of when actual trafficstarts and stops. This is achieved by sending dummy data from a SourceNode to a Destination Node, where the dummy data is extracted anddiscarded.

In an alternate embodiment, if a circuit is broken either due tomalfunction of a node or due to an attack on a network, the OVC protocolcan re-establish a new circuit path between the sender and the recipientto avoid the affected nodes.

The following are particular implementations of the of the OVC protocolas a HPC application, and the use of these methods are provided asnon-limiting examples.

A user desires to send user data from a source location to a remotelocation using a virtualized, modular, and distributed circuitconsisting of a DM, a WSC, and a RFDC. The user requires to send theuser data as a Digital Video Broadcast, Gen 2 (DVB-S2) modulatedcarrier. Thus, the DM is configured as a DVB-S2 instance. The user HPCcommunicates with the NDS to obtain the most up-to-date directory listfor the nodes in the network using OVC messaging protocol. Based on theavailable nodes, the OVC protocol running as an application on the userHPC defines the most optimal path to close a circuit with the remoteuser. Using the PKI infrastructure, each source node obtains the publickey for all the intermediary nodes in their respective chain. Eachsource node uses secure communication to negotiate a shared secret to beused for symmetric key encryption of the traffic. AES-256 in CBC mode isused to encrypt the traffic across all chains. The user data is 50 Mbpsin throughput, while the output of the DM is 5.2 Gbps of traffic. Theoutput of the DM is an ANSI TIA 5041 encapsulated frame structureconsisting of 16-bits of I/Q samples at a sampling rate of 150 Msps. TheWSC combines four carriers sampled at 150 Msps for a combined trafficrate of approximately 20.8 Gbps to the RFDC. The OVC protocolimplemented as a virtualized application targeting the HPC provides themulti-layer encryption at the rates of 50 Mbps, 5.2 Gbps, and 20.8 Gbpsto the DM Node, the WSC Node, and the RFDC Node, respectively. Such highthroughput (performance) is achieved by partitioning the OVC protocolappropriately between the CPU host code and the FPGA optimized kernelcode. The RFDC is configured for L-Band operation.

A user desires to send user data from a source location to a remotelocation using a virtualized, modular, and distributed circuitconsisting of a DM, a WSC, and a RFDC. The user requires to send theuser data as a spread spectrum modulated carrier. Thus, the DM isconfigured as a Spread Spectrum virtual waveform instance. The user HPCcommunicates with the NDS to obtain the most up to date directory listfor the nodes in the network using OVC messaging protocol. Based on theavailable nodes, the OVC protocol running as an application on the userHPC defines the most optimal path to close a circuit with the remoteuser. Using the PKI infrastructure, each source node obtains the publickey for all the intermediary nodes in their respective chain. Eachsource node uses secure communication to negotiate a shared secret to beused for symmetric key encryption of the traffic. AES-128 in Countermode is used to encrypt the traffic across all chains. The user data is1 Mbps in throughput, while the output of the DM is 3.9 Gbps of traffic.The output of the DM is a proprietary encapsulated frame structureconsisting of 12-bits of I/Q samples at a sampling rate of 150 Msps. TheWSC combines ten carriers sampled at 150 Msps for a combined trafficrate of approximately 40 Gbps to the RFDC. The OVC protocol implementedas a virtualized application targeting the HPC provides the multi-layerencryption at the rates of 1 Mbps, 3.9 Gbps, and 40 Gbps to the DM Node,the WSC Node, and the RFDC Node, respectively. Such high throughput(performance) is achieved by partitioning the OVC protocol appropriatelybetween the CPU host code and the FPGA optimized kernel code. The RFDCis configured for L-Band operation.

A user desires to send user data from a source location to a remotelocation using a virtualized, modular, and distributed circuitconsisting of a DM, a WSC, and a RFDC. The communication circuit is tobe fully obfuscated using the OVC protocol. The user requires to sendthe user data as a 5G modulated carrier for a wireless network. Thus,the DM is configured as a 5G virtual instance. The RFDC is configuredfor the LTE frequency range.

A user desires to send user data from a source location to a remotelocation using a virtualized, modular, and distributed circuitconsisting of a DM, a WSC, and a RFDC. The communication circuit is tobe fully obfuscated using the OVC protocol. The user requires to sendthe user data as a tactical radio modulated carrier. Thus, the DM isconfigured as a Single Channel Mode (SCM) virtual instance. The RFDC isconfigured for VHF operation.

1. A system for providing an anonymous and obfuscated communication overa virtual, modular and distributed satellite communication network, thesystem comprising: a node directory server (NDS); an obfuscated virtualcommunication (OVC) protocol, wherein the OVC protocol is configured toperform: messaging between network nodes and the NDS to announce nodepresence, status, and/or capability; establishing a first multi-layerobfuscated communication circuit between Users via intermediary nodes,digital modem (VM) nodes, Wideband Signal Channelizer (WSC) nodes, andRadio Frequency Digital Converter (RFDC) nodes; where the circuit is aseries connection of chains including a source node, one or moreintermediary nodes, and a destination node; performing a multi-layerencryption of traffic across each chain in a first multi-layerobfuscated communication circuit via a unique key established with eachintermediary node in a chain; and decrypting a layer of encryption ofthe intermediary nodes as traffic propagates from the source node to thedestination node; a network; a public key server; and a satellitecommunication line.
 2. The system of the claim 1, wherein the OVCprotocol is a high level coding language platform running on a highperformance computer or a server.
 3. (canceled)
 4. (canceled)
 5. Thesystem of the claim 1, wherein the NDS provides information about one ormore of the nodes in the network.
 6. (canceled)
 7. The system of theclaim 1, wherein the DM, the WSC, and the RFDC can be combined to sharea same node.
 8. The system of the claim 1, wherein the multi-layerencryption performed by the source node in every chain includes InternetProtocol (IP) source and destination addresses for anonymity. 9.(canceled)
 10. (canceled)
 11. (canceled)
 12. (canceled)
 13. (canceled)14. A method for providing anonymous communication over a virtual,modular and distributed satellite communication network, the methodcomprising: communicating between a source and a node directory server(NDS) to obtain a current directory list for one or more nodes in anetwork via an obfuscated virtual communication OVC protocol, whereinthe node and the NDS exchange messages via the OVC protocol to announcethe node's presence, status, and/or capability; defining a first path toclose a circuit with a destination via the OVC protocol in response toobtaining a current directory list for the nodes, wherein the first pathis a series of connection of chains including the source, one or moreintermediary nodes, and a destination, and wherein the intermediarynodes comprise digital modem (VM) nodes, Wideband Signal Channelizer(WSC) nodes, and/or Radio Frequency Digital Converter (RFDC) nodes;obtaining a public key for each node via a public key infrastructure;performing a multi-layer encryption of data across each chain via aunique key established with each intermediary node; and sending the datafrom the source to the destination via a satellite communication linethrough the network nodes, wherein each node communicates to negotiate ashared secret to be used for a symmetric key encrypting the data via asecure communication, and wherein a layer of encryption of the data isdecrypted as the data propagates from the source to the destination. 15.The method of the claim 14, wherein the OVC protocol is a high levelcoding language platform running on a high performance computer and/or aserver.
 16. (canceled)
 17. (canceled)
 18. The method of the claim 14,wherein the NDS provides information about one or more of the nodes inthe network.
 19. (canceled)
 20. The method of the claim 14, wherein theDM, the WSC, and the RFDC can be combined to share a same node.
 21. Themethod of the claim 14, wherein the multi-layer encryption performed bythe source in every chain includes Internet Protocol (IP) source anddestination addresses for anonymity.
 22. The method of the claim 14,wherein the DM incorporates Transmission Security (TRANSEC) to provideobfuscation of an RF signal when transmitted over a satellite link. 23.The method of the claim 14 further comprising sending encrypted dummydata to prevent traffic analysis in response to the network being idle.24. The method of the claim 14, wherein the OVC protocol and amulti-layer encryption function is implemented in Open ComputingLanguage (OpenCL).
 25. The method of the claim 24, wherein themulti-layer encryption performed by the source in every chain isimplemented as an optimized OpenCL kernel code targeting a hardwareacceleration device in a high performance computer to achievehigh-throughput line rate operation.
 26. (canceled)
 27. A non-transitorycomputer readable storage medium storing instructions that when executedby a processing device, cause the processing device to: communicatebetween a source and a node directory server (NDS) to obtain a currentdirectory list for one or more nodes in a network via an obfuscatedvirtual communication OVC protocol, wherein the node and the NDSexchange messages via the OVC protocol to announce the node's presence,status, and/or capability; define a first path to close a circuit with adestination via the OVC protocol in response to obtaining a currentdirectory list for the nodes, wherein the first path is a series ofconnection of chains including the source, one or more intermediarynodes, and a destination, and wherein the intermediary nodes comprisedigital modem (VM) nodes, Wideband Signal Channelizer (WSC) nodes,and/or Radio Frequency Digital Converter (RFDC) nodes; obtain a publickey for each node via a public key infrastructure; perform a multi-layerencryption of data across each chain via a unique key established witheach intermediary node; and send the data from the source to thedestination via a satellite communication line through the networknodes, wherein each node communicates to negotiate a shared secret to beused for a symmetric key encrypting the data via a secure communication,and wherein a layer of encryption of the data is decrypted as the datapropagates from the source to the destination.
 28. The non-transitorycomputer-readable storage medium of claim 27, wherein the OVC protocolis a high level coding language platform running on a high performancecomputer and/or a server.
 29. (canceled)
 30. (canceled)
 31. Thenon-transitory computer-readable storage medium of claim 27, wherein theNDS provides information about one or more of the nodes in the network.32. (canceled)
 33. The non-transitory computer-readable storage mediumof claim 27, wherein the DM, the WSC, and the RFDC can be combined toshare a same node.
 34. The non-transitory computer-readable storagemedium of claim 27, wherein the multi-layer encryption performed by thesource node in every chain includes Internet Protocol (IP) source anddestination address for anonymity.
 35. The non-transitorycomputer-readable storage medium of claim 27, wherein the DMincorporates Transmission Security (TRANSEC) to provide obfuscation ofan RF signal when transmitted over a satellite link.
 36. (canceled) 37.(canceled)
 38. (canceled)
 39. (canceled)